This script, from Fireclick Web Analytics, then loaded a script via Akami CDN that was hosted for a Fireclick domain, netflame.cc: a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com
So this package was not coming from Equifax, but was being injected by a compromised analytics provider.
The difference pointed out in the headline being that when NYT, Amazon, Wikipedia, etc, have compromised scripts they can serve fake flash updates. If CircleCI has them they can compromise my source code and API keys.
The vulnerability might be the same, but the danger to users is not.
Excerpt for reference:
This is a problem because the CircleCI browser context has full access to the CircleCI API, which is hosted on the same domain, so all eight of those companies' scripts can make requests to CircleCI API endpoints. Furthermore CircleCI customers frequently either include credentials in source code or as environment variables in CircleCI. Set these, and you are trusting that CircleCI won't get compromised, or at least, your application is at most as secure as CircleCI is.
This is only reinforcing my conviction that blocking scripts and advertising isn't a consumer decision but a security one. I'm not unwilling to be advertised to (or analyzed), but I'm completely unwilling to expand my vulnerability from "the site I opened" to "every external service they can think to load".
"... I'm completely unwilling to expand my vulnerability from the 'site I opened' to 'every external service they can think to load'."
I think that is a reasonable decision.
What would be the most effective way to protect against this vulnerability?
1. Ask the authors of the major browser you use to please change their software to your benefit instead of the advertisers who pay millions every quarter and finance the authors' salary.
Right now, all major browsers load scripts automatically. No user input required.
What gets loaded is determined by the website, not the user.
2. Turn off Javascript.
3. Use a browser that does not load scripts automatically.
Or use one program to retrieve the stuff you want from the web, e.g., an http client, and another program or programs to read/view/play it, offline. Only the http client needs an internet conection.
4. Stop using the web. (Not meant to be flippant.) The web is but one part of the internet. Alas, it has been largely "taken over" by the lure of the sale of personal information about consumers and advertising.
Look for existing or new internet protocols that do not use the web but which can provide the same things that the web does.
The software to access these protocols does not have to be written by organizations with interests in data collection and advertising.
It may be possible to have a segment of the network that is noncommercial. Free from ad delivery.
The results don't really look like what they would be if Fireclick owned it. It's registered to a Thailand national using a personal gmail account.
Can't prove it, but I have a suspicion Fireclick let the domain lapse/expire, and some bad actor registered it, then figured out what content to post where, or got hacked themselves.
WHOIS history on that domain shows the registration changed hands on November 15, 2016. Before that, it was owned by "Digital River, Inc.":
Registrant Name: Digital River, Inc.
Registrant Organization: Digital River, Inc.
Registrant Street: 10380 Bren Road West
Registrant City: Minnetonka
Registrant State/Province: MN
Registrant Postal Code: 55343
Registrant Country: US
Registrant Phone: +1.9522531234
Registrant Email: hostmaster@digitalriver.com
They were probably the legitimate owners. The domain registration expiration date at that time was set for 2017, so it doesn't look like a registration lapse. It's unclear how and why the ownership was transferred.
I assume this must be because after the initial hack, every kid with a script pointed it at Equifax to see what they could get too. I would not want to be in the IT department at that company right now.
If the average script kiddie can meaningfully compromise your infrastructure, aren't you already screwed? Pretty much every automated attack possible is launched at every internet addressable server on a daily basis. I ran a web server for a couple years with nothing on it but nearly empty personal sites and files, and over 50% of its hits were automated scans and attacks
Yeah, good luck showing damages. You basically have to wait until your identity is used for fraud, and then probably tie it specifically to the breach.
Say more please! What are the damages you claimed?
Just having your personal information stored insecurely should be grounds enough for damages but in the world of "identity theft" I didn't think it would have a case in small claims.
Noticed this on Monday. After registering for fraud alert, they send an email that has link to http://www.equifax.com/fcra for free credit report. This was getting hijacked. But not if you used https://
Why would they send you to a http at all if they already have https. This just seems like complete incompetence. It’s not like they have an excuse like their ad networks don’t work with https.
I know of companies with typos in their links that they email. These typos lead to scam sites. I've contacted them and they haven't yet fixed it. There needs to be a serious re-evaluation of the costs associated with failing such basic security measures like using https and just making sure you send people the correct link. Right now it isn't even a slap on the wrist.
But there are protections against this, such as HSTS. I would expect someone with as much sensitive information as Equifax to have HSTS + HPKP pinned into the major browsers. Their server should never even receive an HTTP request. It's just unrivaled incompetence.
Normally, people in marketing don’t write URLs by hand. They copy them and check that they look nice or have a generator make them for them.
So, how did they copy an http url instead of https because they website should have redirected them to https before processing the request (and I just hope that their internal network isn’t compromised).
Equifax. That url is Equifax controlled. It just mentions fireclick in a comment. Click the url for the js and you'll see that it does a document.write to inject a script that's an akamai cached copy from an obscure .cc domain hosted file...this one: https://a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/se...
Update: The whois listing for the cc domain looks pretty odd. It's a person in Thailand, using a personal gmail address. Which would be odd contact details for a California company's domain. Possible of course, but unlikely.
Yeah, looks like a compromised ad/stats provider. That would also explain the intermittent nature of the bad download. I'd hope that the article gets updated with the facts...other companies might be vulnerable to this as well.
Looks like they just took the page down as I was poking around trying to figure out where the redirect(s) came from.
Edit: Of course the error message is truthful:
>The Equifax.com website and Equifax Member Center are experiencing unusually high volumes due to responses to the recently announced Cybersecurity Incident. We are working diligently to better serve you, and apologize for any inconvenience this may cause. We appreciate your patience during this time and ask that you check back with us soon.
I am not generally a fan of heavy handed regulations but the government needs to step in and shut Equifax down right now. Literally pull the plug on everything they own.
If everyone were honest, neither greedy nor malicious, did pay attention, were competent, including securing their apps, and didn’t have either fires, floods or roads, no regulation or government would be necessary.
I think we should still strive to move towards being that way. Greed and maliciousness breed greed and maliciousness and it’s be good to root them out wherever we can.
I'm not sure what's worse: the fact that Equifax just got $7.25M for identity services from the IRS or the realization that the IRS just spent $7.25M on data they can get for free...
That $7.25M went to get the data of the different colour than the data they could find for free. Even when stuff is bit-for-bit identical, sadly, color matters. IRS needs to have the data painted "official", not "from a hack".
Yes they are, you can assert rights on a collection of facts that you have collected. A database containing the location of every tree in the UK would be a piece of protectable intellectual property.
There isn't "intellectual property", there is copyright, utility, patents, trademarks, design patents, ship hull design rights, and a bunch of others.
What's the law that gives people in some jurisdictions exclusive rights over collected data? Is it copyright again? I ask because I would like to learn more about this law, and it's difficult to do so if I don't even know what it's called. The term "intellectual property" adds confusion towards understanding the particulars.
Btw, as an interesting bit of trivia, the lack of copyrightability of data is why we have fun things like paper towns and other copyright traps:
Although in some jurisdictions such a right exists, it is not copyright.
The US constitution limits the restrictions on free speech caused by copyrights and patents and does not allow generic database rights systems that you find in the EU.
Credit rating agencies provide ratings for securities (e.g. corporate bonds). Their clients choose to pay them to issue ratings, so that the buyers of the securities will be more likely to buy them.
Credit reference agencies (Experian, Equifax, Callcredit) collect information about individuals and provide that information (credit history) to lenders for a fee.
There's no statutory obligation for banks to provide information to CRAs[0]. But agreements between CRAs and their clients (banks and lenders) generally requires that, if bank A uses CRA B to get info on prospective customers, then bank A must also report details of all its customers to CRA B.
There's some truth to what you said, though. It's often a problem for SMEs (small/medium businesses) to get loans. And, since only the bank they use for day-to-day banking has a good idea of their creditworthiness, they can't easily shop around to other banks. So there's legislation which forces the largest banks to make that information available to 3 CRAs, which must provide them to any lender which asks. BUT this only applies to SMEs (not consumers) and any SME can opt not to have their information shared in this way.[1]
[0] https://ico.org.uk/for-the-public/credit/
"As there is no DPA requirement for lenders to report such data to the credit reference agencies, it is up to the lender to decide which credit reference agency they wish to use, if any."
Can you give any more information about that, please?
Certainly when you apply to use financial services in the UK the terms often include consent to share your data with credit reference agencies, but this is the first time I've ever seen a suggestion that banks were required by law to do so.
If that's the case then, given the demonstrable incompetence of Equifax, that law should be changed immediately!
I don't believe that's true. (If it were, I could set up a credit rating agency, have all the banks share details with it, and then have free credit reports for my own (hypothetical) consumer lending business, rather than paying a pound or two for each pull.)
Care to cite the specific law? I'd be very interested in knowing, if such a law exists.
I assume that there has to be a legal definition that outlines what will qualify a business as a credit rating agency. The requirements are probably cumbersome, but something must be written down somewhere to objectively define the requirements.
Too late to edit, but small correction: the comment to which I replied talked about 'credit rating agency' (the companies that rate corporate bonds) when I believe they meant 'credit reference agency' (the companies that sell credit histories).
I repeated the error. In my comment, I meant 'credit reference agency', not 'credit rating agency'.
These people need to spend some money and get some good IT staff. The people at the top are getting all the cream, while the people that actually keep things going need an upgrade.
What's their excuse this time ? A single worker brought in a cat that bit our entire server facilities power supply ? Or some random guy who handled credentials was picked up by Aliens.
You know how "admin:admin" aren't very good credentials for a supposedly secure production system dealing with sensitive information? Well, turns out, neither is "admin123"
What's the stack used for the real https version? I got redirected there (I guess malware doesn't like Safari desktop or uBlock origin saved me) and felt like I fell through a time warp to 2007 (update: 2004, in actuality) with the form Equifax presents. So much low-res skeuomorphism I almost got nostalgic.
Not necessarily related to the security issues, just curious.
Edited to add: The site has a Copyright of 2004. None of the JS tools are later than that. Is this really the current site in use? Unchanged for 13 years... wow. Would be sorta cool, you know, if it wasn't completely hacked.
Not at all, the site is definitely compromised. Someone posted a link[0] that when I opened on mobile is redirecting to a malware site. Confirmed on two separate Android devices running 7.1 + Chrome.
This script, from Fireclick Web Analytics, then loaded a script via Akami CDN that was hosted for a Fireclick domain, netflame.cc: a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/script/www.annualcreditreport.com
So this package was not coming from Equifax, but was being injected by a compromised analytics provider.